mongodb · jamis · Jun 8, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -0,0 +1,30 @@
+# Code Reviews
+
+Do not review anything under `ext/libmongocrypt/libmongocrypt`, as this is a vendored copy of the C library and is not owned by this repository.
+
+## Security Critical Issues
+- Check for hardcoded secrets, API keys, or credentials
+- Check for instances of potential method call injection, dynamic code execution, symbol injection or other code injection vulnerabilities.
+
+## Performance Red Flags
+- Spot inefficient loops and algorithmic issues.
+- Check for memory leaks and resource cleanup.
+
+## Code Quality Essentials
+- Methods should be focused and appropriately sized. If a method is doing too much, suggest refactorings to split it up.
+- Use clear, descriptive naming conventions.
+- Avoid encapsulation violations and ensure proper separation of concerns.
+- All public classes, modules, and methods should have clear documentation in YARD format.
+- If `method_missing` is implemented, ensure that `respond_to_missing?` is also implemented.
+
+## Review Style
+- Be specific and actionable in feedback
+- Explain the "why" behind recommendations
+- Acknowledge good patterns when you see them
+- Ask clarifying questions when code intent is unclear
+
+Always prioritize security vulnerabilities and performance issues that could impact users.
+
+Always suggest changes to improve readability and testability.
+
+When reviewing code, be encouraging.
@@ -0,0 +1,19 @@
+# Project Description
+
+This is the `libmongocrypt` library, packaged as a Ruby gem.
+
+# Project Structure
+
+The project is organized into the following directories:
+
+- `etc/`: helper scripts
+- `ext/libmongocrypt/libmongocrypt/`: the `libmongocrypt` C library source code
+- `lib/`: minimal Ruby code that loads the `libmongocrypt` binary
+
+# Development Workflow
+
+Refer to @README.maint.md for instructions on updating the libmongocrypt library.
+
+# Code Reviews
+
+See [.github/code-review.md](.github/code-review.md) for code review guidelines.
@@ -0,0 +1 @@
+@AGENTS.md
@@ -1,91 +1,122 @@
 #!/bin/bash
 # Compiles libmongocrypt dependencies and targets.
 #
-# Set extra cflags for libmongocrypt variables by setting LIBMONGOCRYPT_EXTRA_CFLAGS.
-#
+# Set extra compilation for libmongocrypt variables by setting CFLAGS and CXXFLAGS.
 
 echo "Begin compile process"
 
 . "$(dirname "${BASH_SOURCE[0]}")/setup-env.sh"
 
-# We may need some more C++ flags
-_cxxflags=""
+set -eu
 
-: "${CONFIGURE_ONLY:=}"
-: "${LIBMONGOCRYPT_BUILD_TYPE:=RelWithDebInfo}"
-
-if [ "$OS_NAME" = "windows" ]; then
-    # Enable exception handling for MSVC
-    _cxxflags="-EHsc"
-    if is_false WINDOWS_32BIT && is_false USE_NINJA; then
-        # These options are only needed for VS CMake generators to force it to
-        # generate a 64-bit build. Default is 32-bit. Ninja inherits settings
-        # from the build environment variables.
-        ADDITIONAL_CMAKE_FLAGS="-Thost=x64 -A x64"
-    fi
-fi
+# Directory where build files will be stored
+: "${BINARY_DIR:="$LIBMONGOCRYPT_DIR/cmake-build"}"
+# Additional compilation flags that apply only to the libmongocrypt build
+: "${LIBMONGOCRYPT_COMPILE_FLAGS:=}"
+# Additional CMake flags that apply only to the libmongocrypt build. (Used by the C driver)
+: "${LIBMONGOCRYPT_EXTRA_CMAKE_FLAGS:=}"
+# release_os_arch is set for release builds.
+: "${release_os_arch:=}"
+
+# Control the build configuration that is generated.
+export CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE:-RelWithDebInfo}"
+# Sets the default config for --build and CTest
+export CMAKE_CONFIG_TYPE="$CMAKE_BUILD_TYPE"
+# Control the install prefix
+export CMAKE_INSTALL_PREFIX="${MONGOCRYPT_INSTALL_PREFIX-}"
 
 # Have CTest print test failure info to stderr
 export CTEST_OUTPUT_ON_FAILURE=1
+# Generate a compilation database for use by other tools
+export CMAKE_EXPORT_COMPILE_COMMANDS=1
+# Permit skipping build of tests.
+BUILD_TESTING="${BUILD_TESTING-TRUE}"
+# Build nocrypto and sharedbson variants (true by defualt).
+LIBMONGOCRYPT_BUILD_VARIANTS="${LIBMONGOCRYPT_BUILD_VARIANTS:-TRUE}"
+
+# Accumulate arguments that are passed to CMake
+cmake_args=(
+    --fresh
+    # Set the build type. CMake 3.22 recognizes this via environment variable
+    -D CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+    # Set the install prefix. CMake 3.29 recognizes this via environment variable
+    -D CMAKE_INSTALL_PREFIX="$CMAKE_INSTALL_PREFIX"
+    # Toggle compiling with shared BSON
+    -D USE_SHARED_LIBBSON="${USE_SHARED_LIBBSON-FALSE}"
+    # Toggle building of tests
+    -D BUILD_TESTING="${BUILD_TESTING:?}"
+    # Enable additional warnings-as-errors
+    -D ENABLE_MORE_WARNINGS_AS_ERRORS=TRUE
+)
+
+# shellcheck disable=SC2206
+cmake_args+=($LIBMONGOCRYPT_EXTRA_CMAKE_FLAGS)
+
+: "${CONFIGURE_ONLY:=}"
 
 if [ "$PPA_BUILD_ONLY" ]; then
     # Clean-up from previous build iteration
-    rm -rf -- "$LIBMONGOCRYPT_DIR"/cmake-build* "$MONGOCRYPT_INSTALL_PREFIX"
-    ADDITIONAL_CMAKE_FLAGS="$ADDITIONAL_CMAKE_FLAGS -DENABLE_BUILD_FOR_PPA=ON"
-fi
-
-if [ "$MACOS_UNIVERSAL" = "ON" ]; then
-    ADDITIONAL_CMAKE_FLAGS="$ADDITIONAL_CMAKE_FLAGS -DCMAKE_OSX_ARCHITECTURES='arm64;x86_64'"
+    rm -rf -- "$LIBMONGOCRYPT_DIR"/cmake-build* "$CMAKE_INSTALL_PREFIX"
+    cmake_args+=(-DENABLE_BUILD_FOR_PPA=ON)
 fi
 
 for suffix in "dll" "dylib" "so"; do
     cand="$(abspath "$LIBMONGOCRYPT_DIR/../mongocrypt_v1.$suffix")"
     if test -f "$cand"; then
-        ADDITIONAL_CMAKE_FLAGS="$ADDITIONAL_CMAKE_FLAGS -DMONGOCRYPT_TESTING_CRYPT_SHARED_FILE=$cand"
+        cmake_args+=("-DMONGOCRYPT_TESTING_CRYPT_SHARED_FILE=$cand")
     fi
 done
 
-ADDITIONAL_CMAKE_FLAGS="$ADDITIONAL_CMAKE_FLAGS -DENABLE_MORE_WARNINGS_AS_ERRORS=ON"
-
-build_dir="$LIBMONGOCRYPT_DIR/cmake-build"
-common_cmake_args=(
-    $ADDITIONAL_CMAKE_FLAGS
-    $LIBMONGOCRYPT_EXTRA_CMAKE_FLAGS
-    -DCMAKE_C_FLAGS="$LIBMONGOCRYPT_EXTRA_CFLAGS"
-    -DCMAKE_CXX_FLAGS="$LIBMONGOCRYPT_EXTRA_CFLAGS $_cxxflags"
-    -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
-    -DCMAKE_BUILD_TYPE="$LIBMONGOCRYPT_BUILD_TYPE"
-    -H"$LIBMONGOCRYPT_DIR"
-    -B"$build_dir"
-)
-
-if is_true USE_NINJA; then
+if test "${CMAKE_GENERATOR-}" = Ninja; then
     export NINJA_EXE
-    : "${NINJA_EXE:="$build_dir/ninja$EXE_SUFFIX"}"
-    common_cmake_args+=(
-        -GNinja
-        -DCMAKE_MAKE_PROGRAM="$NINJA_EXE"
-    )
+    : "${NINJA_EXE:="$BINARY_DIR/ninja$EXE_SUFFIX"}"
+    cmake_args+=(-DCMAKE_MAKE_PROGRAM="$NINJA_EXE")
     bash "$EVG_DIR/ensure-ninja.sh"
 fi
 
+# A command that prepends our custom compile flags for any CMake execution
+_cmake_with_env() {
+    # Prepend our custom C and CXX flags for any possible CMake builds
+    CFLAGS="$LIBMONGOCRYPT_COMPILE_FLAGS ${CFLAGS-}" \
+    CXXFLAGS="$LIBMONGOCRYPT_COMPILE_FLAGS ${CXXFLAGS-}" \
+        run_cmake "$@"
+}
+
 # Build and install libmongocrypt.
-run_cmake \
-    -DCMAKE_INSTALL_PREFIX="$MONGOCRYPT_INSTALL_PREFIX" \
-    "${common_cmake_args[@]}"
+_cmake_with_env "${cmake_args[@]}" \
+    -B "$BINARY_DIR" -S "$LIBMONGOCRYPT_DIR"
 
 if [ "$CONFIGURE_ONLY" ]; then
     echo "Only running cmake";
     exit 0;
 fi
 echo "Installing libmongocrypt"
-run_cmake --build "$build_dir" --target install --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_cmake --build "$build_dir" --target test-mongocrypt --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_cmake --build "$build_dir" --target test_kms_request --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_chdir "$build_dir" run_ctest -C "$LIBMONGOCRYPT_BUILD_TYPE"
+_cmake_with_env --build "$BINARY_DIR" --target install
+
+# If release_os_arch names a minimum glibc requirement (e.g. "linux-x86_64-glibc_2_17-nocrypto"),
+# verify it matches the maximum glibc symbol used.
+if [[ "$release_os_arch" == *glibc* ]]; then
+    expected_glibc=$(echo "$release_os_arch" | sed -r 's/.*glibc_([0-9]+)_([0-9]+).*/\1.\2/')
+    if [ -f "$CMAKE_INSTALL_PREFIX/lib64/libmongocrypt.so" ]; then
+        check_lib="$CMAKE_INSTALL_PREFIX/lib64/libmongocrypt.so"
+    elif [ -f "$CMAKE_INSTALL_PREFIX/lib/libmongocrypt.so" ]; then
+        check_lib="$CMAKE_INSTALL_PREFIX/lib/libmongocrypt.so"
+    else
+        echo "glibc version check failed: libmongocrypt.so not found under $CMAKE_INSTALL_PREFIX"
+        exit 1
+    fi
+    actual_glibc=$(objdump -T "$check_lib" | grep 'GLIBC_' | sed -r -e 's/.*GLIBC_([0-9.]+).*/\1/' | sort -u | tail -1)
+    if [ "$actual_glibc" != "$expected_glibc" ]; then
+        echo "glibc version check failed: release_os_arch requires glibc $expected_glibc but library uses glibc $actual_glibc"
+        exit 1
+    fi
+    echo "glibc version check passed: $actual_glibc"
+fi
+
+run_chdir "$BINARY_DIR" run_ctest
 
 # MONGOCRYPT-372, ensure macOS universal builds contain both x86_64 and arm64 architectures.
-if [ "$MACOS_UNIVERSAL" = "ON" ]; then
+if test "${CMAKE_OSX_ARCHITECTURES-}" != ''; then
     echo "Checking if libmongocrypt.dylib contains both x86_64 and arm64 architectures..."
     ARCHS=$(lipo -archs $MONGOCRYPT_INSTALL_PREFIX/lib/libmongocrypt.dylib)
     if [[ "$ARCHS" == *"x86_64"* && "$ARCHS" == *"arm64"* ]]; then
@@ -101,27 +132,23 @@ if [ "$PPA_BUILD_ONLY" ]; then
     exit 0;
 fi
 
-if "${DEFAULT_BUILD_ONLY:-false}"; then
-    echo "Skipping nocrypto+sharedbson builds"
-    exit 0
+if [ "${LIBMONGOCRYPT_BUILD_VARIANTS:?}" != "TRUE" ]; then
+    echo "Skipping build of libmongocrypt variants";
+    exit 0;
 fi
 
 # Build and install libmongocrypt with no native crypto.
-run_cmake \
+_cmake_with_env "${cmake_args[@]}" \
     -DDISABLE_NATIVE_CRYPTO=ON \
     -DCMAKE_INSTALL_PREFIX="$MONGOCRYPT_INSTALL_PREFIX/nocrypto" \
-    "${common_cmake_args[@]}"
-
-run_cmake --build "$build_dir" --target install --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_cmake --build "$build_dir" --target test-mongocrypt --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_chdir "$build_dir" run_ctest -C "$LIBMONGOCRYPT_BUILD_TYPE"
+    -B "$BINARY_DIR" -S "$LIBMONGOCRYPT_DIR"
+_cmake_with_env --build "$BINARY_DIR" --target install
+run_chdir "$BINARY_DIR" run_ctest
 
 # Build and install libmongocrypt without statically linking libbson
-run_cmake \
-    -UDISABLE_NATIVE_CRYPTO \
+_cmake_with_env "${cmake_args[@]}" \
     -DUSE_SHARED_LIBBSON=ON \
     -DCMAKE_INSTALL_PREFIX="$MONGOCRYPT_INSTALL_PREFIX/sharedbson" \
-    "${common_cmake_args[@]}"
-
-run_cmake --build "$build_dir" --target install  --config "$LIBMONGOCRYPT_BUILD_TYPE"
-run_chdir "$build_dir" run_ctest -C "$LIBMONGOCRYPT_BUILD_TYPE"
+    -B "$BINARY_DIR" -S "$LIBMONGOCRYPT_DIR"
+_cmake_with_env --build "$BINARY_DIR" --target install
+run_chdir "$BINARY_DIR" run_ctest